// this is where we are intercepting all file accesses! private UInt32 ZwCreateFile_Hooked(IntPtr ptr_to_FileHandle, NtDllSupport.AccessRightsFlags DesiredAccess, IntPtr ObjectAttributes, IntPtr IoStatusBlock, Int32 AllocationSize, Int32 FileAttributes, NtDllSupport.ShareAccessFlags ShareAccess, Int32 CreateDisposition, NtDllSupport.FileCreationFlags CreateOptions, IntPtr EaBuffer, Int32 EaLength) { preprocessHook(); UInt32 result = NtDllSupport.ZwCreateFile(ptr_to_FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); if (result == NtDllSupport.STATUS_SUCCESS) { string object_name = string.Empty; //object_name = "YOOOO"+random.Next(); int file_handle = -1; unsafe { int *pfile_handle = (int *)ptr_to_FileHandle.ToPointer(); file_handle = *pfile_handle; NtDllSupport.OBJECT_ATTRIBUTES *lpobj_attr = (NtDllSupport.OBJECT_ATTRIBUTES *)ObjectAttributes.ToPointer(); NtDllSupport.UNICODE_STRING * pstrng = lpobj_attr->ObjectName; object_name = pstrng->ToString(); } TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.ObjectName] = object_name; transfer_unit[Color.FileHandle] = file_handle; transfer_unit[Color.DesiredAccess] = DesiredAccess; transfer_unit[Color.ShareAccess] = ShareAccess; transfer_unit[Color.FileCreationFlags] = CreateOptions; makeCallBack(transfer_unit); } return(result); }
private UInt32 ZwCreateSection_Hooked(IntPtr ptr_SectionHandle, Int32 DesiredAccess, IntPtr ObjectAttributes, IntPtr MaximumSize, Int32 SectionPageProtection, Int32 AllocationAttributes, IntPtr FileHandle) { preprocessHook(); UInt32 result = NtDllSupport.ZwCreateSection(ptr_SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle); if (result == NtDllSupport.STATUS_SUCCESS) { string object_name = string.Empty; //object_name = "YOOOO" + random.Next(); int section_handle = -1; unsafe { section_handle = *(int *)ptr_SectionHandle.ToPointer(); NtDllSupport.OBJECT_ATTRIBUTES *lpobj_attr = (NtDllSupport.OBJECT_ATTRIBUTES *)ObjectAttributes.ToPointer(); if (lpobj_attr != null) { NtDllSupport.UNICODE_STRING *pstrng = lpobj_attr->ObjectName; object_name = pstrng->ToString(); } } TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.ObjectName] = object_name; transfer_unit[Color.SectionHandle] = section_handle; transfer_unit[Color.FileHandle] = FileHandle.ToInt32(); makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! private UInt32 ZwOpenFile_Hooked(IntPtr ptr_to_FileHandle, Int32 DesiredAccess, IntPtr ObjectAttributes, IntPtr IoStatusBlock, Int32 ShareAccess, NtDllSupport.FileCreationFlags OpenOptions) { preprocessHook(); UInt32 result = NtDllSupport.ZwOpenFile(ptr_to_FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions); if (result == NtDllSupport.STATUS_SUCCESS) { string object_name = string.Empty; //object_name = "YOOOO" + random.Next(); int file_handle = -1; unsafe { int *pfile_handle = (int *)ptr_to_FileHandle.ToPointer(); file_handle = *pfile_handle; NtDllSupport.OBJECT_ATTRIBUTES *lpobj_attr = (NtDllSupport.OBJECT_ATTRIBUTES *)ObjectAttributes.ToPointer(); NtDllSupport.UNICODE_STRING * pstrng = lpobj_attr->ObjectName; object_name = pstrng->ToString(); } TransferUnit transfer_unit = createTransferUnit(); transfer_unit["ObjectName"] = object_name; transfer_unit["FileHandle"] = file_handle; makeCallBack(transfer_unit); } return(result); }